From: Aaron Esau <aaron1esau@gmail.com>
To: linux-bluetooth@vger.kernel.org
Cc: luiz.dentz@gmail.com, marcel@holtmann.org,
johan.hedberg@gmail.com, linux-kernel@vger.kernel.org,
Aaron Esau <aaron1esau@gmail.com>
Subject: [PATCH 1/3] Bluetooth: hci_conn: fix UAF in create_big_sync and create_big_complete
Date: Mon, 30 Mar 2026 16:03:47 +0200 [thread overview]
Message-ID: <20260330140347.906689-2-git@aaronesau.com> (raw)
From: Aaron Esau <aaron1esau@gmail.com>
hci_connect_bis() queues create_big_sync with a raw conn pointer.
create_big_sync blocks in __hci_cmd_sync_sk while a concurrent
hci_conn_del on hdev->workqueue frees conn. On timeout, freed memory
is dereferenced. The dequeue path also double-frees: hci_conn_del
invokes create_big_complete via hci_cmd_sync_dequeue, which calls
hci_conn_del again.
Take hci_conn_get before queueing, add hci_conn_valid checks, handle
-ECANCELED, drop with hci_conn_put in create_big_complete. Follows
the create_le_conn_complete pattern.
Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
Signed-off-by: Aaron Esau <aaron1esau@gmail.com>
---
net/bluetooth/hci_conn.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index dc08585..59f5451 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -2119,11 +2119,16 @@ static void hci_iso_qos_setup(struct hci_dev *hdev, struct hci_conn *conn,
static int create_big_sync(struct hci_dev *hdev, void *data)
{
struct hci_conn *conn = data;
- struct bt_iso_qos *qos = &conn->iso_qos;
+ struct bt_iso_qos *qos;
u16 interval, sync_interval = 0;
u32 flags = 0;
int err;
+ if (!hci_conn_valid(hdev, conn))
+ return -ECANCELED;
+
+ qos = &conn->iso_qos;
+
if (qos->bcast.out.phy == 0x02)
flags |= MGMT_ADV_FLAG_SEC_2M;
@@ -2198,11 +2203,24 @@ static void create_big_complete(struct hci_dev *hdev, void *data, int err)
bt_dev_dbg(hdev, "conn %p", conn);
+ if (err == -ECANCELED)
+ goto done;
+
+ hci_dev_lock(hdev);
+
+ if (!hci_conn_valid(hdev, conn))
+ goto unlock;
+
if (err) {
bt_dev_err(hdev, "Unable to create BIG: %d", err);
hci_connect_cfm(conn, err);
hci_conn_del(conn);
}
+
+unlock:
+ hci_dev_unlock(hdev);
+done:
+ hci_conn_put(conn);
}
struct hci_conn *hci_bind_bis(struct hci_dev *hdev, bdaddr_t *dst, __u8 sid,
@@ -2331,9 +2349,11 @@ struct hci_conn *hci_connect_bis(struct hci_dev *hdev, bdaddr_t *dst,
BT_BOUND, &data);
/* Queue start periodic advertising and create BIG */
+ hci_conn_get(conn);
err = hci_cmd_sync_queue(hdev, create_big_sync, conn,
create_big_complete);
if (err < 0) {
+ hci_conn_put(conn);
hci_conn_drop(conn);
return ERR_PTR(err);
}
--
2.52.0
next reply other threads:[~2026-03-30 14:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 14:03 Aaron Esau [this message]
2026-03-30 14:03 ` [PATCH 3/3] Bluetooth: hci_conn: fix UAF in hci_enhanced_setup_sync Aaron Esau
2026-03-30 14:50 ` [1/3] Bluetooth: hci_conn: fix UAF in create_big_sync and create_big_complete bluez.test.bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260330140347.906689-2-git@aaronesau.com \
--to=aaron1esau@gmail.com \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.